Mailinglist Archives:
Infrared
Panorama
Photo-3D
Tech-3D
Sell-3D
MF3D

Notice
This mailinglist archive is frozen since May 2001, i.e. it will stay online but will not be updated.
<-- Date Index --> <-- Thread Index --> [Author Index]

Re: [photo-3d] Paypal and non-USA-creditcard

  • From: Brian Reynolds <reynolds@xxxxxxxxx>
  • Subject: Re: [photo-3d] Paypal and non-USA-creditcard
  • Date: Wed, 19 Apr 2000 17:50:44 -0400
Eddie Bowers wrote:
> Brian Reynolds wrote:
> >By the way, you can just turn on SSL security.
> 
> Sure, but everyone who connects to your site will get a warning that
> your site is not trusted, so almost 100% of the time users will shy
> away.
> 

Assuming they have the security warnings turned on, and assuming they
have a reason not to trust me.  Many users turn off all the security
warnings in their software (or the software defaults to no warnings),
and there have been various attacks (via virus, javascript and
ActiveX, etc.) that turn off the security warnings without informing
the user.

For some entities you are pretty much required to use the certificates
(or equivalents) that they provide on their own servers.  I bet
Netscape serves up its own certificates, and I imagine Verisign does
too.

> >Public Key Interchange (PKI) is a tricky problem, and the current
> >solutions are pretty brittle.
> 
> Actually SSL uses a combination of public-key and symmetric-key
> encryption.  Works pretty damn well actually. Anything else is way
> too slow.
> 

Public key encryption is pretty good, but like all forms of encryption
distributing the keys (even public keys) is difficult.

PKI is the name for methods of distributing the public key used in
public key asymmetric encryption.  Since the network can't be trusted,
distributing your public key is not as simple as just putting it on
your web page.  There are several schemes currently in use for public
key interchange and certificates distributed by a signing authority
like Verisign is just one method.

The most secure, most cumbersome, and fairly wide spread method is
manual key interchange.  You and the entity whose public key you need
(and who may need your public key) agree to meet and physically
exchange keys.  All other methods are less secure.

In order to make key interchange somewhat less cumbersome people came
up with the idea of key signing parties and key rings.  A group of
people meet, provide sufficient identification to each other to
provide a level of trust and exchange public keys.  Now if you need a
public key from someone who was at the party, and you weren't at the
party yourself, but you trust someone else whom you know who was at
the party you can exchange keys with the third person you know for the
key you need.  If you're really cautious, and you know two people who
were at the key signing party (or at two seperate parties attended by
the entity whose public key you need) you get the public key you need
from both of them and compare the keys.

Certificate signing authories are a somewhat automated electronic
version of key signing parties.  The differences are that there is no
physical meeting between entities, everyone must trust the entity
running the party (the signing authority), and you can't verify a key
by checking two entities who were at the "party" (because everyone
gives their keys to the signing authority, not to each other).

Theoretically an entity could get certificates from multiple signing
authories in order to provide a greater level of verification (so that
someone communicating with you can be sure the signing authority
hasn't been compromised).  In reality due to the expense of getting
certificates I don't think anyone does this, and the widely available
software probably doesn't check multiple signing authorities for the
same entity.

> I could go into detail, but everyone else would get bored. :)
> 

Now I'm going to have to think of something stereo related to post in
order to keep my signal-to-noise ratio to at least 50%.  :)

-- 
Brian Reynolds                  | "Dee Dee!  Don't touch that button!"
reynolds@xxxxxxxxx              | "Oooh!"
http://www.panix.com/~reynolds  |    -- Dexter and Dee Dee
NAR# 54438                      |       "Dexter's Laboratory"

------------------------------------------------------------------------
10% Off FogDog.com, Disney.com, eCost.com and many more.
You get paid as you shop with the Pointclick network.
http://click.egroups.com/1/3417/5/_/160438/_/956181048/
------------------------------------------------------------------------